Security 10810 Published by

IPFire 2.27 - Core Update 162 has been released. IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 162 released

Just before Christmas, it is time for the last release of the year: IPFire 2.27 - Core Update 162. It comes with a brand-new kernel based on Linux 5.15, and it will be the last release supporting the i586 architecture.

Before we talk about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development:  https://www.ipfire.org/donate.

Linux 5.15

Once a few releases after upgrading to Linux 5.10, we have now rebased the IPFire kernel on Linux 5.15. Due to dropping or upstreaming our patchset this was a lot easier than the previous step to 5.10.

The new kernel is long-term supported by the Linux kernel developers and comes with various new drivers and performance improvements. Noteworthy are various performance improvements on "zero copy" for increased throughput and lower latency; Core Scheduling ( for safer Hyperthreading), and a new drivers for NTFS.

We have continued our work to take advantage of improvements in the kernel that help to decrease CPU usage when forwarding large numbers of packets. In certain environments, this enables IPFire to significantly more throughput and lower latency since more CPU resources are available when needed.

Deprecating i586

This is the last release supporting 32 bit Intel-compatible processors - in our case i586 and older.  Having announced this plan a year ago, the time has finally come.

We are very hopeful that we will be able to concentrate our limited development time more on architectures and features that are used by the masses instead of keeping support for something that only a few people are still using and that is becoming harder and harder since so many distributions have already done this step which leaves us with lots of bugs to find ourselves instead of taking advantage of the open source community.

If you are running on an i586 system, you should backup your configuration, perform a fresh installation with a supported architecture and restore the backup. We encourage you to migrate immediately as it will be done in less than half an hour.

Misc.

  • IPS: A long-stand bug has been discovered which caused that some TCP connections could not be opened and timed out. This happened on TCP stacks that use the timestamp option and where the first SYN packet does not reach the server. Due to the state of the repeated packet not being considered, the IPS did not allow any SYN-ACK packets back through to the client which caused the connection to time out. This has been fixed and  submitted upstream.
  • The web user interface has gained a new "help" option which will bring you to the correct page on the  IPFire Wiki.
  • IPFire Location has added the new "DROP" category (allocated country code XD) which has a curated list of networks which nobody is ever expected to talk to
  • OpenVPN: An error has been fixed which caused to show an "Internal Server Error" after generating root and host certificates ( #12574)
  • Dynamic DNS: Fix broken updates freedns.afraid.org after API change
  • jwhois has been replaced with an actively maintained version of whois
  • The installer will now correctly create EFI boot entries on all BIOSes. This used to fail on ARM64-based machines.
  • Updated packages: BIND 9.16.22, bison 3.8.2, coreutils 9.0, dhcpcd 9.4.1, gawk 5.1.1, jansson 2.14, knot 3.1.1, libhtp 0.5.39, libloc 0.9.8, libseccomp 2.5.3, libxcrypt 4.4.26, meson 0.59.2, OpenVPN 2.4.4, OpenSSH 8.8p1, slang 2.3.2, suricata 5.0.8, unbound 1.13.2, xtables-addons 3.18

Add-ons

  • Updated packages: ClamAV 0.104.1, dnsdist 1.6.1, libffi 3.4.2, Postfix 3.6.3, strace 5.14, sslh 1.22c, sshfs 3.7.2, Tor 0.4.6.8


IPFire 2.27 - Core Update 162 released